CVE-2022-34903

Summary

CVE	CVE-2022-34903
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2022-07-01 22:15:00 UTC
Updated	2023-11-07 03:48:00 UTC
Description	GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line.

Risk And Classification

Problem Types: CWE-74

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Debian	Debian Linux	11.0	All	All	All
Operating System	Fedoraproject	Fedora	35	All	All	All
Operating System	Fedoraproject	Fedora	36	All	All	All
Application	Gnupg	Gnupg	All	All	All	All
Application	Netapp	Active Iq Unified Manager	-	All	All	All
Application	Netapp	Ontap Select Deploy Administration Utility	-	All	All	All

References

Reference	Source	Link	Tags
[SECURITY] Fedora 35 Update: gnupg2-2.3.4-2.fc35 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[SECURITY] Fedora 35 Update: gnupg2-2.3.4-2.fc35 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[SECURITY] Fedora 36 Update: gnupg1-1.4.23-18.fc36 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
oss-security - GnuPG signature spoofing via status line injection	MISC	www.openwall.com
[SECURITY] Fedora 35 Update: gnupg1-1.4.23-18.fc35 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
#1014157 - gnupg: vulnerable to status injection - Debian Bug report logs	MISC	bugs.debian.org
[SECURITY] Fedora 36 Update: gnupg2-2.3.6-2.fc36 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
oss-security - Re: GnuPG signature spoofing via status line injection	MLIST	www.openwall.com
CVE-2022-34903 GnuPG Vulnerability in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
[SECURITY] Fedora 36 Update: gnupg1-1.4.23-18.fc36 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[SECURITY] Fedora 36 Update: gnupg2-2.3.6-2.fc36 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[SECURITY] Fedora 35 Update: gnupg1-1.4.23-18.fc35 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
Debian -- Security Information -- DSA-5174-1 gnupg2	DEBIAN	www.debian.org
⚓ T6027 Revisit write_status_text_and buffer	MISC	dev.gnupg.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

160085 Oracle Enterprise Linux Security Update for gnupg2 (ELSA-2022-6463)
160102 Oracle Enterprise Linux Security Update for gnupg2 (ELSA-2022-6602)
180606 Debian Security Update for gnupg2 (DSA 5174-1)
184489 Debian Security Update for gnupg2 (CVE-2022-34903)
198848 Ubuntu Security Notification for GnuPG Vulnerability (USN-5503-1)
240658 Red Hat Update for gnupg2 (RHSA-2022:6463)
240683 Red Hat Update for gnupg2 (RHSA-2022:6602)
282905 Fedora Security Update for gnupg2 (FEDORA-2022-aa14d396dd)
282962 Fedora Security Update for gnupg2 (FEDORA-2022-1124e5882d)
282977 Fedora Security Update for gnupg1 (FEDORA-2022-0dbfb7e270)
282978 Fedora Security Update for gnupg1 (FEDORA-2022-1747eea46c)
354043 Amazon Linux Security Advisory for gnupg2 : ALAS2-2022-1834
354048 Amazon Linux Security Advisory for gnupg2 : ALAS-2022-1630
354361 Amazon Linux Security Advisory for gnupg2 : ALAS2022-2022-207
354374 Amazon Linux Security Advisory for gnupg2 : ALAS2022-2022-126
354640 Amazon Linux Security Advisory for gnupg2 : AL2012-2022-372
355206 Amazon Linux Security Advisory for gnupg2 : ALAS2023-2023-087
502412 Alpine Linux Security Update for gnupg
502414 Alpine Linux Security Update for gnupg
502417 Alpine Linux Security Update for gnupg
503975 Alpine Linux Security Update for gnupg
672095 EulerOS Security Update for gnupg2 (EulerOS-SA-2022-2287)
672116 EulerOS Security Update for gnupg2 (EulerOS-SA-2022-2316)
672190 EulerOS Security Update for gnupg2 (EulerOS-SA-2022-2460)
672264 EulerOS Security Update for gnupg2 (EulerOS-SA-2022-2649)
672270 EulerOS Security Update for gnupg2 (EulerOS-SA-2022-2681)
672323 EulerOS Security Update for gnupg2 (EulerOS-SA-2022-2709)
752377 SUSE Enterprise Linux Security Update for gpg2 (SUSE-SU-2022:2529-1)
752386 SUSE Enterprise Linux Security Update for gpg2 (SUSE-SU-2022:2546-1)
752563 SUSE Enterprise Linux Security Update for gpg2 (SUSE-SU-2022:3144-1)
902450 Common Base Linux Mariner (CBL-Mariner) Security Update for gnupg2 (10077)
902452 Common Base Linux Mariner (CBL-Mariner) Security Update for gnupg2 (10074)
903894 Common Base Linux Mariner (CBL-Mariner) Security Update for gnupg2 (10074-1)
906967 Common Base Linux Mariner (CBL-Mariner) Security Update for gnupg2 (10077-1)
940663 AlmaLinux Security Update for gnupg2 (ALSA-2022:6463)
940682 AlmaLinux Security Update for gnupg2 (ALSA-2022:6602)
960241 Rocky Linux Security Update for gnupg2 (RLSA-2022:6463)
960576 Rocky Linux Security Update for gnupg2 (RLSA-2022:6602)